Oracle issues massive quarterly update with Java fixes
The security update for Java included 29 fixes across Java SE and Java for Business products. Fifteen of the Java flaws earned the highest score of 10 on the company's Common Vulnerability Scoring System (CVSS).
The quarterly security update for enterprise products included 85 security fixes, 31 of which are for Oracle's newly acquired Sun Product Suite. Sixteen of the Sun bugs are remotely exploitable.
Alex Rothacker, manager of database protection vendor Application Security's research team, told SCMagazineUS.com on Wednesday that the update represents one of the largest ever for the database giant.
“Eighty-five is certainly bigger than anything they have done in the past,” Rothacker said. “On the database side, I would say it is business as usual.”
Seven fixes were doled out for the popular Database Server, though only one of the vulnerabilities is remotely exploitable. The most severe Database Server flaw that was patched earned a CVSS score of 7.5. It affects Oracle Enterprise Manager Grid Control, a tool used to manage Oracle databases, and may be exploited over a network without the need for a username and password. However, Oracle Enterprise Manager Grid Control is an optional component that is not used by everyone, Rothacker said.
Meanwhile, one vulnerability affecting Database Server is more severe than its score suggests, Rothacker said. CVE-2010-2415, an SQL injection vulnerability that received a CVSS score of 4.9, could allow the complete takeover of the database management system. Because of its severity, the flaw should have been given a much higher CVSS score, he added.
Tuesday's enterprise product update also included 21 fixes for the PeopleSoft and JDEdwards Suite, eight for Fusion Middleware, six for the E-Business Suite, four for the Siebel Suite, two for the Supply Chain Products Suite and one for the Primavera Products Suite. Rounding out the update, Oracle released four fixes for Oracle VM and a single patch for Enterprise Manager Grid Control.
This was a rare instance when security updates for Java were released in concert with ones for other Oracle products, Eric Maurice, manager for security in Oracle's global technology business unit, wrote in a blog post Tuesday.
Oracle recommended that customers apply the updates as soon as possible.